OK I set the Session.cookie_httponly and session.referal_check both to 1 value to enable them, but for some reason around 1 week later. I revived an audit check and found out that I still have the Http only security error. I check the php setting again and now for some reason Session.cookie_httponly and session.referal_check have no value now, so they are now disable.